Update consul Docker tag to v1.11.3

[renovate]

This PR contains the following updates:

Package	Update	Change
consul	minor	1.10.4 -> 1.11.3

---

Release Notes

hashicorp/consul

v1.11.3

Compare Source

1.11.3 (February 11, 2022)

IMPROVEMENTS:

• connect: update Envoy supported version of 1.20 to 1.20.1 [GH-11895]
• sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids

BUG FIXES:

• Fix a data race when a service is added while the agent is shutting down.. [GH-12302]
• areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
• ca: adjust validation of PrivateKeyType/Bits with the Vault provider, to remove the error when the cert is created manually in Vault. [GH-12267]
• config-entry: fix a panic when creating an ingress gateway config-entry and a proxy service instance, where both provided the same upstream and downstream mapping. [GH-12277]
• connect: fixes bug where passthrough addressses for transparent proxies dialed directly weren't being cleaned up. [GH-12223]
• partitions: (Enterprise only) Do not leave a serf partition when the partition is deleted
• serf: update serf v0.9.7, complete the leave process if broadcasting leave timeout. [GH-12057]
• ui: Fix up a problem where occasionally an intention can visually disappear from the listing after saving [GH-12315]
• ui: Fixed a bug with creating multiple nested KVs in one interaction [GH-12081]
• ui: Include partition data when saving an intention from the topology visualization [GH-12317]
• xds: allow only one outstanding delta request at a time [GH-12236]
• xds: fix for delta xDS reconnect bug in LDS/CDS [GH-12174]
• xds: prevents tight loop where the Consul client agent would repeatedly re-send config that Envoy has rejected. [GH-12195]

v1.11.2

Compare Source

FEATURES:

• ingress: allow setting TLS min version and cipher suites in ingress gateway config entries [GH-11576]

IMPROVEMENTS:

• api: Return 404 when de-registering a non-existent check [GH-11950]
• connect: Add support for connecting to services behind a terminating gateway when using a transparent proxy. [GH-12049]
• http: when a user attempts to access the UI but can't because it's disabled, explain this and how to fix it [GH-11820]
• ui: Added a notice for non-primary intention creation [GH-11985]

BUG FIXES:

• Mutate NodeService struct properly to avoid a data race. [GH-11940]
• Upgrade to raft 1.3.3 which fixes a bug where a read replica node can trigger a raft election and become a leader. [GH-11958]
• cli: Display assigned node identities in output of consul acl token list. [GH-11926]
• cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [GH-11781]
• config: include all config errors in the error message, previously some could be hidden. [GH-11918]
• memberlist: fixes a bug which prevented members from joining a cluster with
  large amounts of churn [GH-253] [GH-12042]
• snapshot: the snapshot save command now saves the snapshot with read permission for only the current user. [GH-11918]
• ui: Differentiate between Service Meta and Node Meta when choosing search fields
  in Service Instance listings [GH-11774]
• ui: Ensure a login buttons appear for some error states, plus text amends [GH-11892]
• ui: Ensure partition query parameter is passed through to all OIDC related API
  requests [GH-11979]
• ui: Fix an issue where attempting to delete a policy from the policy detail page when
  attached to a token would result in the delete button disappearing and no
  deletion being attempted [GH-11868]
• ui: Fixes a bug where proxy service health checks would sometimes not appear
  until refresh [GH-11903]
• ui: Fixes a bug with URL decoding within KV area [GH-11931]
• ui: Fixes a visual issue with some border colors [GH-11959]
• ui: Fixes an issue saving intentions when editing per service intentions [GH-11937]
• ui: Fixes an issue where once a 403 page is displayed in some circumstances its
  diffcult to click back to where you where before receiving a 403 [GH-11891]
• ui: Prevent disconnection notice appearing with auth change on certain pages [GH-11905]
• ui: Temporarily remove KV pre-flight check for KV list permissions [GH-11968]
• windows: Fixes a bug with empty log files when Consul is run as a Windows Service [GH-11960]
• xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [GH-11924]

v1.11.1

Compare Source

SECURITY:

• ci: Upgrade golang.org/x/net to address CVE-2021-44716 [GH-11854]

FEATURES:

• Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the
  Admin Partition documentation. [GH-11855]
• networking: (Enterprise Only) Make segment_limit configurable, cap at 256.

v1.11.0

Compare Source

BREAKING CHANGES:

• acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]
• cli: consul acl set-agent-token master has been replaced with consul acl set-agent-token recovery [GH-11669]

SECURITY:

• namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires acl:write permission in the default namespace. This change fixes CVE-2021-41805.
• rpc: authorize raft requests CVE-2021-37219 [GH-10925]

FEATURES:

• Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation.
• ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [GH-11428]
• ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [GH-11449]
• health-checks: add support for h2c in http2 ping health checks [GH-10690]
• ui: Add UI support to use Vault as an external source for a service [GH-10769]
• ui: Adding support of Consul API Gateway as an external source. [GH-11371]
• ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]
• ui: Adds visible Consul version information [GH-11803]
• ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [GH-11280]

IMPROVEMENTS:

• acl: replication routine to report the last error message. [GH-10612]
• agent: add variation of force-leave that exclusively works on the WAN [GH-11722]
• api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
• checks: add failures_before_warning setting for interval checks. [GH-10969]
• ci: Upgrade to use Go 1.17.5 [GH-11799]
• cli: Add -cas and -modify-index flags to the consul config delete command to support Check-And-Set (CAS) deletion of config entries [GH-11419]
• config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
• config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
• config: add dns_config.recursor_strategy flag to control the order which DNS recursors are queried [GH-10611]
• config: warn the user if client_addr is empty because client services won't be listening [GH-11461]
• connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
• connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
• connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [GH-11724]
• connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods
  the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud,
  JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [GH-11573]
• connect: Support manipulating HTTP headers in the mesh. [GH-10613]
• connect: add Namespace configuration setting for Vault CA provider [GH-11477]
• connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
• connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
• connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
• connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]
• debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
• debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
• dns: Added a virtual endpoint for querying the assigned virtual IP for a service. [GH-11725]
• http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [GH-11818]
• raft: Added a configuration to disable boltdb freelist syncing [GH-11720]
• raft: Emit boltdb related performance metrics [GH-11720]
• raft: Use bbolt instead of the legacy boltdb implementation [GH-11720]
• sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [GH-11480]
• segments: (Enterprise only) ensure that the serf_lan_allowed_cidrs applies to network segments [GH-11495]
• telemetry: add a new agent.tls.cert.expiry metric for tracking when the Agent TLS certificate expires. [GH-10768]
• telemetry: add a new mesh.active-root-ca.expiry metric for tracking when the root certificate expires. [GH-9924]
• types: add TLSVersion and TLSCipherSuite [GH-11645]
• ui: Add upstream icons for upstreams and upstream instances [GH-11556]
• ui: Add uri guard to prevent future URL encoding issues [GH-11117]
• ui: Move the majority of our SASS variables to use native CSS custom
  properties [GH-11200]
• ui: Removed informational panel from the namespace selector menu when editing
  namespaces [GH-11130]
• ui: Update UI browser support to 'roughly ~2 years back' [GH-11505]
• ui: Update global notification styling [GH-11577]
• ui: added copy to clipboard button in code editor toolbars [GH-11474]

DEPRECATIONS:

• api: /v1/agent/token/agent_master is deprecated and will be removed in a future major release - use /v1/agent/token/agent_recovery instead [GH-11669]
• config: acl.tokens.master has been renamed to acl.tokens.initial_management, and acl.tokens.agent_master has been renamed to acl.tokens.agent_recovery - the old field names are now deprecated and will be removed in a future major release [GH-11665]
• tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-11364]

BUG FIXES:

• acl: (Enterprise only) fix namespace and namespace_prefix policy evaluation when both govern an authz request
• api: Fix default values used for optional fields in autopilot configuration update (POST to /v1/operator/autopilot/configuration) [GH-10558] [GH-10559]
• api: ensure new partition fields are omit empty for compatibility with older versions of consul [GH-11585]
• areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
• areas: (Enterprise only) make the gRPC server tracker network area aware [GH-11748]
• ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
• ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
• ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
• check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
• connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
• connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
• connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [GH-11826]
• dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
• dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
• macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [GH-11586]
• namespaces: (Enterprise only) ensure the namespace replicator doesn't replicate deleted namespaces
• proxycfg: ensure all of the watches are canceled if they are cancelable [GH-11824]
• snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the license_path setting in config files
• ui: Ensure all types of data get reconciled with the backend data [GH-11237]
• ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
• ui: Ensure we check intention permissions for specific services when deciding
  whether to show action buttons for per service intention actions [GH-11409]
• ui: Ensure we filter tokens by policy when showing which tokens use a certain
  policy whilst editing a policy [GH-11311]
• ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
• ui: Filter the global intentions list by the currently selected parition rather
  than a wildcard [GH-11475]
• ui: Fix inline-code brand styling [GH-11578]
• ui: Fix visual issue with slight table header overflow [GH-11670]
• ui: Fixes an issue where under some circumstances after logging we present the
  data loaded previous to you logging in. [GH-11681]
• ui: Gracefully recover from non-existant DC errors [GH-11077]
• ui: Include Service.Namespace into available variables for dashboard_url_templates [GH-11640]
• ui: Revert to depending on the backend, 'post-user-action', to report
  permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520]
• ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
• ui: code editor styling (layout consistency + wide screen support) [GH-11474]
• use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries
  [GH-8978]. [GH-10299]
• windows: fixes arm and arm64 builds [GH-11586]

NOTES:

• Renamed the agent_master field to agent_recovery in the acl-tokens.json file in which tokens are persisted on-disk (when acl.enable_token_persistence is enabled) [GH-11744]

v1.10.8

Compare Source

1.10.8 (February 11, 2022)

SECURITY:

• agent: Use SHA256 instead of MD5 to generate persistence file names.

IMPROVEMENTS:

• sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids

BUG FIXES:

• Fix a data race when a service is added while the agent is shutting down.. [GH-12302]
• areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
• config-entry: fix a panic when creating an ingress gateway config-entry and a proxy service instance, where both provided the same upstream and downstrem mapping. [GH-12277]
• config: include all config errors in the error message, previously some could be hidden. [GH-11918]
• connect: fixes bug where passthrough addressses for transparent proxies dialed directly weren't being cleaned up. [GH-12223]
• memberlist: fixes a bug which prevented members from joining a cluster with
  large amounts of churn [GH-253] [GH-12047]
• snapshot: the snapshot save command now saves the snapshot with read permission for only the current user. [GH-11918]
• xds: allow only one outstanding delta request at a time [GH-12236]
• xds: fix for delta xDS reconnect bug in LDS/CDS [GH-12174]
• xds: prevents tight loop where the Consul client agent would repeatedly re-send config that Envoy has rejected. [GH-12195]a

v1.10.7

Compare Source

SECURITY:

• namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires acl:write permission in the default namespace. This change fixes CVE-2021-41805.

FEATURES:

• ui: Adds visible Consul version information [GH-11803]

BUG FIXES:

• Mutate NodeService struct properly to avoid a data race. [GH-11940]
• Upgrade to raft 1.3.3 which fixes a bug where a read replica node can trigger a raft election and become a leader. [GH-11958]
• ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
• ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
• ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
• cli: Display assigned node identities in output of consul acl token list. [GH-11926]
• cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [GH-11781]
• snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the license_path setting in config files
• structs: (Enterprise only) Remove partition field parsing from 1.10 to prevent further 1.11 upgrade compatibility issues.
• ui: Differentiate between Service Meta and Node Meta when choosing search fields
  in Service Instance listings [GH-11774]
• ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
• ui: Fix an issue where attempting to delete a policy from the policy detail page when
  attached to a token would result in the delete button disappearing and no
  deletion being attempted [GH-11868]
• ui: Fix visual issue with slight table header overflow [GH-11670]
• ui: Fixes an issue where once a 403 page is displayed in some circumstances its
  diffcult to click back to where you where before receiving a 403 [GH-11891]
• ui: Fixes an issue where under some circumstances after logging we present the
  data loaded previous to you logging in. [GH-11681]
• ui: Include Service.Namespace into available variables for dashboard_url_templates [GH-11640]
• ui: Revert to depending on the backend, 'post-user-action', to report
  permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520]
• ui: Temporarily remove KV pre-flight check for KV list permissions [GH-11968]
• windows: Fixes a bug with empty log files when Consul is run as a Windows Service [GH-11960]
• xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [GH-11924]

v1.10.6

Compare Source

SECURITY:

• ci: Upgrade golang.org/x/net to address CVE-2021-44716 [GH-11856]

v1.10.5

Compare Source

SECURITY:

• ci: Upgrade to Go 1.16.12 to address CVE-2021-44716 [GH-11808]

BUG FIXES:

• agent: (Enterprise only) fix bug where 1.10.x agents would deregister serf checks from 1.11.x servers [GH-11700]

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[mergify]

Nice! PR merged successfully.